CyberWire Daily - Masad Steals via Social Media. [Research Saturday]
Episode Date: October 26, 2019Researchers at Juniper Networks have been tracking a trojan they call Masad Stealer, which uses the Telegram instant messaging platform for part it its command and control infrastructure. (Telegram wa...sn't hacked; it's the innocent conduit.) Mounir Hahad is head of Juniper Threat Labs at Juniper Networks and he joins us to share their findings The original research is here: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram/ba-p/468559 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We were looking into the ability of botnets to be communicating over encrypted channels.
That's Mounir Hahad. He's the head of Juniper Threat Labs at Juniper Networks. The research we're discussing today is titled Masad Steeler, Exfiltrating Using Telegram.
What we realized is that as we were running some of the known ones into our sandboxes,
we ran into this one that looked a little bit different because we did not expect communications
with the Telegram web server.
And we figured, hey, this looks interesting.
Let's dig into it a little bit deeper.
That led to this whole interesting. Let's dig into it a little bit deeper. That led to this whole discovery.
Well, just for folks to be clear, what is Telegram and how does it work?
Telegram is an end-to-end encrypted chat and messaging communication. It has been
developed for a number of years and is very widely used. It's estimated that the number
of Telegram users today is about 200 million
users worldwide. It's one of those applications like WhatsApp that claims to be an encryption
end-to-end and therefore is kind of shielding its users from any spying eyes. And it has had
a lot of notoriety lately, especially that it has been banned in Russia, presumably because the government was
not able to spy on the people it wanted to. So that kind of brought it to prominence.
Well, let's walk through the research together. And let's start off, what does Mossad Stealer do?
So the Mossad Stealer is a Trojan. It comes in via other applications and sometimes fake downloads.
You're downloading something that you believe is an application you're looking for, and
you end up downloading either directly or inadvertently bundled with other applications
this Mossad Stealer.
Once it is installed on your device, Mossad is going to try to remain persistent in your device, basically being able to survive reboots.
And it is able to snoop around your device and find interesting pieces of information to exfiltrate.
The simple stuff like the type of device you're on, a lot of that is kind of run-of-the-mill.
But then it is capable of looking into files and into your browser data, and it exfiltrates that.
So, for example, it is able to look at all your form-filled data, including usernames and passwords, and it will collect all of those and send them to the controller of the bot.
And in addition to that, it is able to exfiltrate files from your desktop or from your Telegram data,
as well as from certain applications that are used for simpler FTP file exchange.
So, for example, FileZilla is one of them. So, it will look for files you have downloaded over FTP file exchange. So for example, FileZilla is one of them.
So it will look for files you have downloaded over FTP.
Now on top of that, it has a clipping feature, which can look at your clipboard.
You know, when you're copying items from one application to the next,
you copy a sentence, you want to paste it somewhere else.
This massage dealer is looking for certain patterns that look like cryptocurrency wallet
addresses.
And as soon as you've copied one of those before you paste it into your destination
application, Mossad will replace it with its own string for its own wallet.
And what that does is it allows the Mossad Stealer to basically have funds transferred to its own wallet instead of whatever destination you were meaning it to be.
Could it inadvertently flow in the other direction?
Could I accidentally take money out of Mossad's wallet?
No, that is not possible because typically before you can move currency around, you need to
be able to log in into your account with your particular wallet. And you will not be able to
do that with the Masad wallet because you don't have their password. So that's not possible. It
only flows in one direction. The other direction is more likely to cause errors during the exercise.
The other direction is more likely to cause errors during the exercise.
I see.
And it also includes the ability to zip the things that it's going to exfiltrate?
That is correct, yes.
There is a current limitation of about 50 megabytes of the files that is being extracted. So it is able to compress all the data it is interested in in order to send it to the control bot.
And it does that using the 7-zip utility, which actually comes bundled within its own binary.
And then how does it go about sending the information out?
In order to send that information, it still uses the Telegram application.
The Telegram protocol itself is very powerful.
application, the Telegram protocol itself is very powerful. And it allows using an API,
application programming interface, to do file movements. So it just sends the file to a Telegram user, which is hardcoded within the binary itself. And that way,
the recipient receives the file. Just like, for instance, if you were a Telegram chat user and you wanted to
send a picture to the person you're chatting with, it uses pretty much the same API.
Because it's using this API, if I'm a regular user of Telegram, this wouldn't show up in my
interface or anything. This would all be happening behind the scenes.
That is correct, because you do not actually need to be a Telegram user for all of
this to happen. The malware author is using the Telegram infrastructure, but it basically uses
HTTPS, just like a web browser would, to go through an intermediate proxy for the actual protocol
that Telegram uses. So from all intents and purposes, you do not have to be a Telegram
user to be affected by this particular malware. But if you were to be a Telegram user, your
exposure is a little bit higher because it gives access to all your Telegram data to the bot
operator. What have you learned that's going on with the command and control servers?
What have you learned that's going on with the command and control servers?
Well, what we have learned so far is that there is a number of them.
It's not just one or two. We know that there are about 338 unique bot IDs.
Now, that can mean one of several things.
Either the same threat actor has deployed multiple campaigns,
Either the same threat actor has deployed multiple campaigns or that multiple acquirers of this malware are using it each for their own purposes.
And the third option would be that the same threat actor in the same campaign, in order
to make it a little bit more difficult to follow the tracks, is starting to use multiple
bot IDs for potentially multiple
purposes within the same campaign.
So what that tells us is that it is fairly used out there in the wild.
And we know for sure that there is a Telegram group that has been specifically created for
customers of this off-the-shelf malware.
And that alone has about 318 users or members into the group.
So that says either these people have purchased the malware and are using it,
or at least are interested in purchasing the malware.
Now, usually when this kind of a group is set up,
it's in order to provide some sort of a customer support to the acquirers of the malware.
But we don't know for sure.
We've found the malware being bundled with about 15 popular downloads, usually downloaded applications.
So that tells me that the exposure is fairly high.
Some of those applications even happen to be typical utilities that come with
Windows. But for some reason, sometimes people wouldn't want to download them again, and you
would end up with a massage stealer bundled into that same application. So we're still doing some
work. We're not completely done with analyzing the infrastructure that these threat actors are
using. And we may be able to have some follow-up
in the near future about our findings. Now, some of the versions of this that you've been tracking
have the ability to download additional malware? That is correct. It's very typical from a Trojan
perspective to have this ability of being modular and being able to download updates or additional malware. The ones we have
seen so far only download crypto miners, and it's usually a Monero miner. So effectively,
if there's nothing interesting to steal from your laptop, they will use it to mine cryptocurrency.
I see. Now, take us through what you're seeing in terms of this being advertised and sold on the online hacker forums.
Well, that's the part where we don't have a lot of information.
But what we have seen so far is that it is clearly advertised.
The project exists.
It even has its own dedicated website called Masad Life.
And we've seen quite a bit of activity from people interested,
not the least being the creation of that, you know, that telegram group with 300 plus people
that are interested. So, you know, if you're into the underground forums, you would definitely see
the offering. And we can tell that a lot of people are interested in purchasing this piece of malware. So what are your recommendations in terms of people protecting themselves against it?
You know, the usual protection for the general public is be extremely aware of where you
download your applications from. A lot of people, unfortunately, get infected because their kids,
for example, are looking for some game hacks or simple
applications to do certain things very quickly.
So you have to be aware that most of those applications that are available for free,
there's usually a hidden cost behind them.
Sometimes that hidden cost is something like Massad Stealer.
Sometimes it's cryptocurrency miner.
Sometimes it's a ransomware.
So you have to be extremely careful.
You need to make sure that you have a good antivirus installed on every one of your endpoints.
That's from a consumer perspective.
From an enterprise and a business perspective, it should be looked into from the angle of a network solution
because the use of a protocol like Telegram should not be something that's commonly used
around businesses.
So there are plenty of next generation firewalls who are capable of identifying communication
meant to be telegram,
and you should be able to block that communication entirely. In addition to that,
most of the next generation firewalls, including the one that Juniper Networks has,
offer the ability to do advanced threat prevention. And using machine learning,
what we have discovered is that most, actually all of these samples that we found would be detected by machine learning approaches.
So customers need to make sure that they enable the advanced threat prevention in any egress points that they have to the Internet.
What is your estimation of the sophistication of these folks?
sophistication of these folks? You know, it seems like it's relatively sophisticated from the point of view that they're reaching out to using a protocol that not a lot of people have used for
command and control. But at the same time, it's not extremely sophisticated. Like for instance,
the method that is used for persistent is relatively easy to find and detect and remediate against. So to me, this is an average
sophistication level. I think that this story is still unfolding. We have seen those crypto wallets
being used quite a bit recently. And we know that, for instance, this operation has been going on for
a relatively long time since we've seen some people victimized as early as
June 18 of this year. And it's funny, we know that because somebody actually had some funds
transferred from his cryptocurrency wallet to one of these wallets, and they believed it was by
mistake. So they posted it online and said, hey, this operation happened by mistake.
If you don't mind, please return my funds back. And that has happened in June. So that operation
has been going on for a while. And given the interest, my suspicion is that we'll see more
campaigns using this malware. And given the variety of samples that we have seen, we know that it's in active development and we're going to see variations of it that are going to try to do a little bit better in terms of sophistication.
Can you give me some insights as to what happens for you as a researcher when you're trying to track something that is off the shelf this way, where you could have lots of people buying this and
putting it to use for themselves. What are the methods that you use to try to differentiate
different groups who might be using the same tool?
One approach that we take, for example, is trying to follow the trace of the money.
Most of these samples do have multiple cryptocurrency wallet IDs embedded in them.
They're not all the same.
So out of, let me try to remember, I think we've seen somewhere along the lines of 15
or 18 different cryptocurrencies.
You will find that in one sample, for example, there will be three or four different wallet
IDs.
And in the next sample, there will be three or four different wallet IDs. And in the next sample,
there's going to be four or five. But if you try to overlap the cryptocurrency wallet IDs between
the two samples, it is not a full overlap. So you will find that maybe one wallet ID is the same,
but the others are different. So for us, if looking at all the
samples that we managed to get our hands on, if we are able to overlap all the cryptocurrency
wallet IDs, we can probably draw a map on the number of different threat actors that are involved
in using all those samples. So that's one of the approaches we use to identify whether it's
the same group doing all of this or whether it's totally different groups.
Our thanks to Munir Hahad from Juniper Threat Labs for joining us. The research is titled
Massad Steeler, Exfiltrating Using Telegram. We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.